Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
1
Helpful
7
Replies

Wrong authorization profile due to bad identification

CorpNetwork
Level 1
Level 1

‎10-28-2024 05:52 AM - edited ‎10-28-2024 05:54 AM

Hello,

Curios to know if anyone else had this issue. Computers are configured to authenticate using machine cert. Identity configured in

"Certificate Authentication Profile" set to SAN. I have ISE joined to two domains and I'm using Identity source sequence. For some reason, some computers from domain1 get authorization profile for domain2. Looking at the logs I see that ISE has different info for SAN & AD-Host-Resolved-Identities.
Preview file
34 KB
Preview file
84 KB
0 Helpful
7 Replies 7

Cristian Matei
VIP Alumni
VIP Alumni

‎10-30-2024 06:56 AM

Hi,

    Authentication and authorization are separate policies from ISE perspective; as I understand, your challenge to fix is that computers from AD1 match authorization profile of AD2; to fix it, you just need smarter condition within your authorization, based on AD groups & domain or SAN values.

Best,

Cristian.

CorpNetwork
Level 1
Level 1
In response to Cristian Matei

‎11-01-2024 01:20 AM

@Cristian Matei Look at picture ISE2.png attached to the initial post and tell me what you understand from it. Why is the "resolving identity W11-5006650 from AD1 when the actual machine is called WH5011879 (member of the other domain).

Multumesc

0 Helpful

wsteele@conres.com
Level 1
Level 1

‎10-31-2024 10:23 AM - edited ‎10-31-2024 10:24 AM

Keep in mind it is going to work top down.  If ISE finds a reference in the 1st domain it will try to authenticate it.  Does any type of trust exist between the 2 domains.  ISE deployments can support multiple certificate chains and profiles but each node can only support a single cert for EAP.  Are the devices from both domains using the same Network Access Devices?

0 Helpful

CorpNetwork
Level 1
Level 1
In response to wsteele@conres.com

‎11-01-2024 01:16 AM

Thank you for your reply. There is no trust between domains (had but got removed). ISE is joined to both domains. Clients are using the same NAD. I don't experience this with all clients. Based on the attached logs (pictures) you can see ISE is "confused" on what device is connected to that port

0 Helpful

Aref Alsouqi
VIP
VIP

‎11-01-2024 02:29 AM

Please share your sanitized authentication and authorization policies for review. The issue could be caused by some loose conditions on the policies and also it would depend on the attributes parsed from the endpoints certificates.

0 Helpful

CorpNetwork
Level 1
Level 1
In response to Aref Alsouqi

‎11-01-2024 06:10 AM

Hi Aref. 

See attached files

Preview file
39 KB
Preview file
53 KB
Preview file
51 KB
Preview file
30 KB
0 Helpful

Aref Alsouqi
VIP
VIP
In response to CorpNetwork

‎11-01-2024 08:25 AM

Thanks. I would try to do these two things, first, I would remove the internal endpoints from "AD1_Internal_copy" identity sequence, second, I would add the identity sequence to the certificate profile. If you are using this identity sequence in other authentication rules and you don't want to change it because of that, then you can clone it and apply the changes only on the interested authentication rule.

0 Helpful
Customers Also Viewed These Support Documents